| Solution |
The message is referring to the configured Distinguished Name having a 'space' character. In some cases, this might be ignored as the 'Test Connectivity' will show as successful.
When the command 'diagnose test autheserver ldap <server name> <username> <password>' is used on the CLI, it will fail. Referencing this LDAP server on a user group which will be used for the actual authentication of user connecting (such as SSL VPN, etc), will most likely fail also.
When running a fnbamd debug during this user test:
diag debug app fnbamd 255
diag debug enable
diag test authserver ldap WinServ-LDAP vpnuser1 <password>
[1738] handle_req-Rcvd auth req 92676843257857 for vpnuser1 in opt=0600001b prot=0 svc=7
[332] __compose_group_list_from_req-Group 'WinServ-LDAP', type 6
[507] create_auth_session-Session created for req id 92676843257857
[840] fnbamd_cfg_get_ldap_list-
[646] __fnbamd_cfg_get_ldap_list_by_server-
[306] fnbamd_user_ldap_create-vfid=0
[264] fnbamd_ldap_new-WinServ-LDAP
[104] __init_ldap_setting-Preping LDAP servers.
[88] __ldap_server_push-Inserted LDAP server '10.149.0.2'.
[269] fnbamd_ldap_new-WinServ-LDAP created
[322] fnbamd_user_ldap_create-LDAP servers are created, vfid=0, total=1
[348] fnbamd_ldap_get-vfid=0, name='WinServ-LDAP'
[652] __fnbamd_cfg_get_ldap_list_by_server-Loaded LDAP server 'WinServ-LDAP'
[856] fnbamd_cfg_get_ldap_list-Total LDAP servers to try: 1
[1751] fnbamd_ldap_auth_ctx_init-User: vpnuser1, password query: 0, group list query: 1, group only: 0, UPN query: 0, user domain query: 1
[874] fnbamd_ldap_get_auth_server-
[1704] __auth_ctx_svr_push-Added addr 10.149.0.2:389 from LDAP 'WinServ-LDAP'
[1536] __fnbamd_ldap_get_next_addr-Next available address of LDAP 'WinServ-LDAP': 10.149.0.2:389.
[1722] __auth_ctx_start-Connection starts WinServ-LDAP:10.149.0.2, addr 10.149.0.2:389
[1420] __ldap_tcps_open-vfid 0, addr 10.149.0.2, src_ip , ssl_opt 0
[1159] fnbamd_socket_update_interface-vfid is 0, intf mode is 0, intf name is , server address is 10.149.0.2:389, source address is null, protocol number is 6, oif id
is 0
[1443] __ldap_tcps_open-oif=0, intf_sel.mode=0, intf_sel.name=
[1458] __ldap_tcps_open-Still connecting 10.149.0.2.
[1475] __ldap_tcps_open-Start ldap conn timer.
[1551] __ldap_conn_start-Socket 9 is created for LDAP 'WinServ-LDAP'.
[662] __ldap_add_job_timer-
[439] fnbamd_cfg_get_pop3_list-
[396] __fnbamd_cfg_get_pop3_list_by_server-
[221] fnbamd_pop3_get-vfid=0, name='WinServ-LDAP'
[333] fnbamd_pop3_auth_ctx_push-Failed to create pop3 ctx for 'WinServ-LDAP'.
[449] fnbamd_cfg_get_pop3_list-Total pop3 servers to try: 0
[433] start_remote_auth-Total 1 server(s) to try
[1881] handle_req-r=4
[1363] __ldap_tcps_connect-tcps_connect(10.149.0.2) is established. Current state: Connecting.
[1120] __ldap_auth_ctx_reset-
[984] __ldap_next_state-State: Connecting -> Admin Binding
[1378] __ldap_tcps_connect-Start ldap conn timer.
[1221] __ldap_rxtx-fd 9, state 2(Admin Binding)
[1223] __ldap_rxtx-Stop ldap conn timer.
[1232] __ldap_rxtx-
[472] __ldap_build_bind_req-Binding to 'FortiGate'
[1261] fnbamd_ldap_send-sending 35 bytes to 10.149.0.2
[1274] fnbamd_ldap_send-Request is sent. ID 1
[1120] __ldap_auth_ctx_reset-
[1257] __ldap_rxtx-Start ldap conn timer.
[1221] __ldap_rxtx-fd 9, state 2(Admin Binding)
[1223] __ldap_rxtx-Stop ldap conn timer.
[1260] __ldap_rxtx-
[1305] __fnbamd_ldap_read-Read 8
[1411] fnbamd_ldap_recv-Leftover 2
[1305] __fnbamd_ldap_read-Read 14
[1484] fnbamd_ldap_recv-Response len: 16, svr: 10.149.0.2
[1164] fnbamd_ldap_parse_response-Got one MESSAGE. ID:1, type:bind
[1200] fnbamd_ldap_parse_response-ret=0
[1120] __ldap_auth_ctx_reset-
[984] __ldap_next_state-State: Admin Binding -> DN Search
[1325] __ldap_rxtx-Start ldap conn timer.
[1221] __ldap_rxtx-fd 9, state 4(DN Search)
[1223] __ldap_rxtx-Stop ldap conn timer.
[1232] __ldap_rxtx-
[888] fnbamd_ldap_build_dn_search_req-base:'DC=40LABV2\2C DC=COM' filter:cn=vpnuser1 --------> Incorrect Distinguished Name, adding a special character because of the space between 'DC=40LABV2' and 'DC=COM'
[1261] fnbamd_ldap_send-sending 67 bytes to 10.149.0.2
[1274] fnbamd_ldap_send-Request is sent. ID 2
[1120] __ldap_auth_ctx_reset-
[1257] __ldap_rxtx-Start ldap conn timer.
[1221] __ldap_rxtx-fd 9, state 4(DN Search)
[1223] __ldap_rxtx-Stop ldap conn timer.
[1260] __ldap_rxtx-
[1305] __fnbamd_ldap_read-Read 8
[1411] fnbamd_ldap_recv-Leftover 2
[1305] __fnbamd_ldap_read-Read 94
[1484] fnbamd_ldap_recv-Response len: 96, svr: 10.149.0.2
[1164] fnbamd_ldap_parse_response-Got one MESSAGE. ID:2, type:search-result
[1186] fnbamd_ldap_parse_response-Error 34(0000208F: LdapErr: DSID-0C090A65, comment: Error processing name, data 0, v3839)
[1200] fnbamd_ldap_parse_response-ret=34
[239] fnbamd_comm_send_result-Sending result 1 (nid 0) for req 92676843257857, len=2596
authenticate 'vpnuser1' against 'WinServ-LDAP' failed!
To avoid authentication failures for user connecting using this LDAP server, remove any special character (For this example, space = \2C) on the Distinguished Name configuration:
Related article:
Technical Note : How to enter special characters in the Distinguished Name for LDAP
|
